(D)  Combining the personal information that the service provider receives from, or on behalf of, the business with
personal information that it receives from, or on behalf of, another person or persons, or collects from its own
interaction with the consumer, provided that the service provider may combine personal information to perform
any business purpose as defined in regulations adopted pursuant to paragraph (9) of subdivision (a) of Section
1798.185, except as provided for in paragraph (6) of subdivision (e) of this section and in regulations adopted by
the California Privacy Protection Agency. The contract may, subject to agreement with the service provider, permit
the business to monitor the service provider’s compliance with the contract through measures, including, but not
limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and
operational testing at least once every 12 months.
(2)  If a service provider engages any other person to assist it in processing personal information for a business purpose
on behalf of the business, or if any other person engaged by the service provider engages another person to assist in
processing personal information for that business purpose, it shall notify the business of that engagement, and the
engagement shall be pursuant to a written contract binding the other person to observe all the requirements set forth
in paragraph (1).
(ah) (1)  “Share,” “shared,” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring,
or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by
the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable
consideration, including transactions between a business and a third party for cross-context behavioral advertising
for the benefit of a business in which no money is exchanged. (2) For purposes of this title, a business does not share
personal information when:
(A)  A consumer uses or directs the business to intentionally disclose personal information or intentionally interact with
one or more third parties.
(B)  The business uses or shares an identifier for a consumer who has opted out of the sharing of the consumer’s
personal information or limited the use of the consumer’s sensitive personal information for the purposes of
alerting persons that the consumer has opted out of the sharing of the consumer’s personal information or limited
the use of the consumer’s sensitive personal information.
(C)  The business transfers to a third party the personal information of a consumer as an asset that is part of a merger,
acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business,
provided that information is used or shared consistently with this title. If a third party materially alters how it uses
or shares the personal information of a consumer in a manner that is materially inconsistent with the promises
made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer.
The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their
choices consistently with this title. This subparagraph does not authorize a business to make material, retroactive
privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and
Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and
Professions Code).
(ai) “Third party” means a person who is not any of the following:
(1)  The business with whom the consumer intentionally interacts and that collects personal information from the consumer
as part of the consumer’s current interaction with the business under this title.
(2) A service provider to the business.
(3)  A contractor.
(aj)  “Unique identifier” or “unique personal identifier” means a persistent identifier that can be used to recognize a consumer,
a family, or a device that is linked to a consumer or family, over time and across different services, including, but not
limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar
technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or
probabilistic identifiers that can be used to identify a particular consumer or device that is linked to a consumer or family.
California Consumer Privacy Act of 2018 (as amended by the
37 | 
California Privacy Rights Act of 2020) and Related Regulations